Enabling Adiantum

Adiantum is an encryption method designed for devices running Android 9 and higher
whose CPUs lack
AES instructions. If you are shipping an ARM-based
device with ARMv8 Cryptography Extensions or an x86-based device with AES-NI,
you should not use Adiantum. AES is faster on those
platforms.

For devices lacking these AES CPU instructions, Adiantum provides encryption on
your device with very little performance overhead. For benchmarking numbers,
see the Adiantum paper. For the benchmarking source
to run on your hardware, see the
Adiantum source
on GitHub.

To enable Adiantum on a device running Android 9 or higher, you need to
make kernel changes and userspace changes.

Kernel changes

Cherry-pick the Adiantum changes to your kernel and apply an additional
dm-crypt patch. If you're having trouble cherry-picking, devices
using full-disk encryption (FDE) can exclude the
"fscrypt: " patch.

Note: For ARM-based devices, the implementation name should
match exactly. If you don't see references to neon, your device
won't perform as well. See the Enable
Adiantum in your kernel section for details on enabling NEON
instructions.

Devices with full-disk encryption

Note: Full-disk encryption is not allowed on new
devices running Android 10 and higher. For new devices, use file-based encryption.

To enable Adiantum and improve its performance, set these properties in
PRODUCT_PROPERTY_OVERRIDES:

ro.crypto.fde_algorithm=adiantum
ro.crypto.fde_sector_size=4096

Setting fde_sector_size to 4096 improves performance, but is not
required for Adiantum to work. To use this setting, the userdata partition must
begin at a 4096-byte aligned offset on-disk.

In the fstab, for userdata set:

forceencrypt

To verify that your implementation worked, take a bug report or run:

adb rootadb shell dmesg

If Adiantum is enabled correctly, you should see this in the kernel log:

Note: For ARM-based devices, the implementation name should
match exactly. If you don't see references to neon, your device
won't perform as well. See the Enable
Adiantum in your kernel section for details on enabling NEON
instructions.

Content and code samples on this page are subject to the licenses described in the Content License. Java is a registered trademark of Oracle and/or its affiliates.